DOCSLIB.ORG

Andrew W. Appel, Curriculum Vitae

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Andrew W. Appel, Curriculum Vitae Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 1 of 56 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION DONNA CURLING, ET AL., Plaintiffs, v. Civil Action No. 1:17-CV-2989-AT BRAD RAFFENSPERGER, ET AL., Defendants. DECLARATION OF ANDREW W. APPEL IN SUPPORT OF MOTION FOR PRELIMINARY INJUNCTION ANDREW W. APPEL, declares, under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the following is true and correct: 1. My name is Andrew W. Appel. 2. I am the Eugene Higgins Professor of Computer Science at Princeton University, where I have been on the faculty since 1986 and served as Department Chair from 2009-2015. I have also served as Director of Undergraduate Studies, Director of Graduate Studies, and Associate Chair in that department. I have served as Editor in Chief of ACM Transactions on Programming Languages and Systems, the leading journal in my field. In 1998 I was elected a Fellow of the 1 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 2 of 56 Association for Computing Machinery, the leading scientific and professional society in Computer Science. 3. I previously provided a Declaration in support of the Curling Plaintiffs’ Reply in Support of their Motion for Preliminary Injunction on December 13, 2019 (Dkt. No. 681-3). My 2019 Declaration is attached as Exhibit A. I have reviewed my 2019 Declaration and my previous findings and analyses remain the same; accordingly, I incorporate by reference my prior Declaration in its entirety, subject to the additional opinions I offer here. 4. My background, qualifications, and professional affiliations were previously identified in my 2019 Declaration and accompanying CV. I have over 40 years’ experience in computer science, and 15 years’ experience studying voting machines and elections. I am not being compensated for my work related to this matter. I expect that my expenses, if any, will be reimbursed. 5. I previously commented on the Declaration of Juan E. Gilbert, submitted 13 November 2019 in my 2019 Declaration. My opinions regarding the shortcomings of Mr. Gilbert’s initial analysis have not changed. In addition, I have read the Supplemental Declaration of Juan E. Gilbert in this case, as well as the Declaration of Jack Cobb, both submitted 26 August 2020. Gilbert Supplemental Declaration 2 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 3 of 56 6. Professor Gilbert’s Supplemental Declaration attempts to address the question of voter verification of votes cast on BMD systems, but his conclusions do not address (nor dispute) the underlying vulnerabilities associated with the use of BMDs as I understand them to be implemented in Georgia. Professor Gilbert does not address any of my prior conclusions regarding the fundamental insecurities with BMDs. 7. In paragraph 7A, Professor Gilbert makes much of the fact that Georgia’s State Election Board (“SEB”) has issued rules intended to require poll workers to remind voters to review their votes before scanning them. Professor Gilbert cites to recently published research from Kortum, Byrne, and Whitmore that suggests reminders to voters to review their ballots.1 8. But even Professors Kortum and Byrne and Ms. Whitmore acknowledge the limitations of their own study: “it seems that the next logical question is ‘What can be done to get people to take the time to examine their ballots in the first place?’ There are a number of possibilities, all of which would require additional research in order to understand how efficacious they might be.”2 (page 16). And they 1 Philip Kortum, Michael D. Byrne, Julie Whitmore, Voter Verification of BMD Ballots Is a Two-Part Question: Can They? Mostly, They Can. Do They? Mostly, They Don’t (2020) [hereafter Kortum et al.], available at https://arxiv.org/abs/2003.04997. 2 Kortum et al., 16. 3 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 4 of 56 explicitly acknowledge the problem raised by Appel, DeMillo, and Stark,3 when they write, “Of course, if such efforts are successful in getting most or all of the voters to check their ballots, then we must also investigate how to effectively deal with people finding errors and making sure that those are viewed not as human mistakes but as warning signs of a potential malicious agent in a BMD.” 4 (page 16) 9. That is: even if some voters detect that the BMD printed fraudulent votes onto their ballot, there’s no effective remedy. That is the problem that Kortum, Byrne, and Whitmore say “we must also investigate.” 10. Importantly, Professor Gilbert does not address this more fundamental problem. Even if a handful of voters in a precinct are able to detect an error, there is no way to prove it and such detection provides no basis to invalidate an entire election, even though the election potentially should be invalidated because of vote- altering malware. 11. In paragraph 12 of his Supplemental Declaration, Professor Gilbert also reiterates his belief that risk-limiting audits (“RLAs”) could help detect the presence of malware, but this conclusion ignores the shortcoming of RLAs when applied to BMDs. RLAs depend on a trustworthy record of the vote expressed by the voter. 3 Andrew W. Appel, Richard A. DeMillo, & Philip B. Stark, Ballot-marking devices (BMDs) cannot assure the will of the voters (2019) [hereinafter Appel et. al.]. A copy of this research is attached as Exhibit B to this Declaration. 4 Kortum et al., 16. 4 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 5 of 56 When the source of the paper trail is susceptible to hacking, bugs, or other malfunctions, as is the case with BMDs, it is not trustworthy. There simply is no method for checking whether any errors in how BMDs record expressed votes altered election outcomes.5 Cobb Declaration 12. Mr. Cobb is an employee of the firm paid by the Secretary of State to conduct testing of the BMD system for “Georgia-specific election criteria.” (Cobb Decl. ¶ 6.) Mr. Cobb does not profess to be an expert in election security or in computer security. 13. In Paragraph 5 of his Declaration, Mr. Cobb mentions some testing performed on the Dominion BMD system now used in Georgia, calling it a “security test.” Mr. Cobb’s firm did not perform this testing, and he does not describe any specifics of the certification and testing performed by SLI Compliance. Mr. Cobb references standards developed by the Pennsylvania Department of State for “penetration testing,” but it does not appear that Mr. Cobb’s firm has ever performed any penetration testing of any elements of the Georgia BMD system. Mr. Cobb does not point to any documentation that would show the scope, limitations, or any other details of penetration testing performed on the Georgia BMD system (before or after its deployment across the state), nor does he identify the results of such testing. 5 Appel et al., 3, 8-9. 5 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 6 of 56 14. It is well understood in the cybersecurity industry that penetration testing, even when properly conducted, can only demonstrate the presence of security vulnerabilities. Penetration testing serves to exploit a system’s weaknesses in order to improve security. However, penetration testing cannot demonstrate that a system is free of vulnerabilities, as there may be numerous avenues of attack that are not explored by even comprehensive penetration testing. In addition, penetration testing cannot necessarily demonstrate whether a system has already been infected. This is why penetration testing is used as only one component of a comprehensive risk assessment system. 15. In paragraphs 7 and 8, Mr. Cobb described the acceptance testing his firm performed for Georgia in August 2019, and the use of a hash value to determine that “the correct software” was installed at the time of acceptance. Such reliance on hash values is severely misplaced. It is well understood in the cybersecurity industry that fraudulent software can easily mimic legitimate software by displaying the same hash code. Thus, the use of hash codes does not provide any assurance that the correct software is installed. 16. Based on my preliminary review of the certification report produced by Mr. Cobb’s firm in August 2019,6 the testing performed by Pro V&V appears to have 6 Pro V&V, Test Report Dominion Voting Systems D-Suite 5.5-A Voting System, Georgia State Certification Testing, (Aug. 7, 2019) available at https://sos.ga.gov/admin/uploads/Dominion_Test_Cert_Report.pdf 6 ny-1984930 v3 Case 1:17-cv-02989-AT Document 855-3 *SEALED* Filed 09/01/20 Page 7 of 56 been limited in scope. The report does not represent itself as a security analysis and the testing does not appear to have included any comprehensive security testing. The accuracy and acceptance testing Mr. Cobb describes in Paragraphs 6 and 7 of his Declaration are not a substitute for a full security assessment. 17. There is clear consensus in the election security community that there are many layers between “the application software that implements an election function and the transistors inside the computers that ultimately carry out computations.”7 Any one of these layers could serve as a vector for attack that could introduce fraudulent vote-counting software. Based on my preliminary view of the findings from Pro V&V, it does not appear that any of these layers underlying Georgia’s BMD system were examined.
Load more

Recommended publications
  • Emery Berger Curriculum Vitae
    College of Information and Computer Sciences Emery Berger University of Massachusetts Amherst [email protected] Amherst, MA 01003 http://www.emeryberger.com RESEARCH INTERESTS Design and implementation of programming languages, with a focus on automatically improving reliability, security, and performance. EDUCATION Ph.D., Computer Science, UNIVERSITY OF TEXAS AT AUSTIN, August 2002 Thesis: Memory Management for High-Performance Applications Advisor: Kathryn S. McKinley M.S., Computer Science, UNIVERSITY OF TEXAS AT AUSTIN, December 1991 B.S., Computer Science, UNIVERSITY OF MIAMI, May 1988 ACADEMIC EXPERIENCE Professor, UNIVERSITY OF MASSACHUSETTS AMHERST, 2014–present Visiting Researcher, UNIVERSITY OF WASHINGTON, 2018–9 Visiting Researcher, MICROSOFT RESEARCH, 2005, 2006, 2011, 2013, 2015, 2016, 2018–9 Associate Professor, UNIVERSITY OF MASSACHUSETTS AMHERST, 2008–2014 Associate Researcher, BARCELONA SUPERCOMPUTING CENTER, 2010–2013 Visiting Professor, UNIVERSITAT POLITÈCNICA DE CATALUNYA, 2008–2009 Assistant Professor, UNIVERSITY OF MASSACHUSETTS AMHERST, 2002–2008 Research Intern, MICROSOFT RESEARCH, Summer 2000 & 2001 Graduate Research Assistant, UNIVERSITY OF TEXAS AT AUSTIN, 1997–2002 PROFESSIONAL EXPERIENCE Systems Analyst, UNIVERSITY OF TEXAS AT AUSTIN, 1995–2000 Teacher, BENJAMIN FRANKLIN INTERNATIONAL SCHOOL, Barcelona, Spain, 1992–1994 Systems Analyst, APPLIED RESEARCH LABORATORIES: UT-AUSTIN, 1990–1992 Instructor, THE PRINCETON REVIEW, Austin, Texas, 1989–1990 Teaching Assistant, UNIVERSITY OF TEXAS AT AUSTIN, 1989–1990
    [Show full text]
  • Beyond AOP: Toward Naturalistic Programming
    Beyond AOP: Toward Naturalistic Programming Cristina Videira Lopes, Paul Dourish, David H. Lorenz and Karl Lieberherr lopes, jpd @ ics.uci.edu lorenz, lieber @ ccs.neu.edu This paper has been accepted for publication in the proceedings of the OOPSLA Onward! track, 2003, and will be subjected to copyright. This document is still not in its final version, and should not be referenced or cited until its official publication. It has been made available to you in response to a personal request. Additional distribution requests should be made directly to the authors. PLEASE DO NOT DISTRIBUTE. Beyond AOP: Toward Naturalistic Programming Cristina Videira Lopes1, Paul Dourish1, David H. Lorenz2, Karl Lieberherr2 1University of California, Irvine 2Northeastern University School of Information and Computer Science College of Computer & Information Science Irvine, CA 92697 Boston, MA 02115 {lopes,jpd}@ics.uci.edu {lorenz,lieber}@ccs.neu.edu Abstract Software understanding (for documentation, maintenance or evolution) is one of the longest-standing problems in Computer Science. The use of “high-level” programming paradigms and object-oriented languages helps, but fundamentally remains far from solving the problem. Most programming languages and systems have fallen prey to the assumption that they are supposed to capture idealized models of computation inspired by deceptively simple metaphors such as objects and mathematical functions. Aspect-oriented programming languages have made a significant break through by noticing that, in many situations, humans think and describe in crosscutting terms. In this paper we suggest that the next break through would require looking even closer to the way humans have been thinking and describing complex systems for thousand of years using natural languages.
    [Show full text]
  • Anomaly-Free Component Adaptation with Class Overriding Atanas Radenski Chapman University, [email protected]
    Chapman University Chapman University Digital Commons Mathematics, Physics, and Computer Science Science and Technology Faculty Articles and Faculty Articles and Research Research 2004 Anomaly-Free Component Adaptation with Class Overriding Atanas Radenski Chapman University, [email protected] Follow this and additional works at: http://digitalcommons.chapman.edu/scs_articles Part of the Programming Languages and Compilers Commons Recommended Citation Radenski, A. Anomaly-Free Component Adaptation with Class Overriding. Journal of Systems and Software, Elsevier Science, Vol. 71, Issues 1-2, 2004, 37-48. doi: 10.1016/S0164-1212(02)00137-1 This Article is brought to you for free and open access by the Science and Technology Faculty Articles and Research at Chapman University Digital Commons. It has been accepted for inclusion in Mathematics, Physics, and Computer Science Faculty Articles and Research by an authorized administrator of Chapman University Digital Commons. For more information, please contact [email protected]. Anomaly-Free Component Adaptation with Class Overriding Comments This is a pre-copy-editing, author-produced PDF of an article accepted for publication in Journal of Systems and Software, volume 71, issues 1-2, 2004 following peer review. The definitive publisher-authenticated version is available online at DOI:10.1016/S0164-1212(02)00137-1 The rC eative Commons license below applies only to this version of the article. Creative Commons License This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License. Copyright Elsevier This article is available at Chapman University Digital Commons: http://digitalcommons.chapman.edu/scs_articles/211 Page 1: Atanas Radenski: Anomaly-Free Component Adaptation with Class Overriding Anomaly-Free Component Adaptation with Class Overriding Atanas Radenski Chapman University Department of Computer Science, Mathematics, and Physics One University Drive Orange, CA 92866, U.S.A.
    [Show full text]
  • Verified Three-Way Program Merge
    Verified Three-Way Program Merge MARCELO SOUSA, University of Oxford, United Kingdom ISIL DILLIG, University of Texas at Austin, United States SHUVENDU K. LAHIRI, Microsoft Research, United States Even though many programmers rely on 3-way merge tools to integrate changes from different branches, such tools can introduce subtle bugs in the integration process. This paper aims to mitigate this problem by defining a semantic notion of conflict-freedom, which ensures that the merged program does not introduce new unwanted behaviors. We also show how to verify this property using a novel, compositional algorithm that combines lightweight summarization for shared program fragments with precise relational reasoning for the modifications. Towards this goal, our method uses a 4-way differencing algorithm on abstract syntax trees to represent different program versions as edits applied to a shared program with holes. This representation allows our verification algorithm to reason about different edits in isolation and compose them toobtain an overall proof of conflict freedom. We have implemented the proposed technique in a new tool called SafeMerge for Java and evaluate it on 52 real-world merge scenarios obtained from Github. The experimental results demonstrate the benefits of our approach over syntactic conflict-freedom and indicate that SafeMerge is both precise and practical. CCS Concepts: • Software and its engineering → Formal software verification; Additional Key Words and Phrases: Three-way program merge, relational verification, product programs ACM Reference Format: Marcelo Sousa, Isil Dillig, and Shuvendu K. Lahiri. 2018. Verified Three-Way Program Merge. Proc. ACM Program. Lang. 2, OOPSLA, Article 165 (November 2018), 29 pages.
    [Show full text]
  • Richard Paul Gabriel Educational Background
    Richard Paul Gabriel Address: 3636 Altamont Way Redwood City, CA 94062 Telephone: Voice: (650)298-8735 Fax: (650)216-6755 E-Mail: rpg at dreamsongs.com Web: http://dreamsongs.com Educational Background Warren Wilson College 1995–1998 M.F.A. in Creative Writing (Poetry) Stanford University 1975–1981 Ph.D. in Computer Science University of Illinois 1973–1975 M.S. in Mathematics MIT 1972–1973 Graduate studies in Mathematics Northeastern University 1967–1972 B.A. in Mathematics Recent Experience Researcher, IBM Research, February 2007– Vice Chair, Aspect-Oriented Software Association (AOSA), 2011–2013 Member of the Editorial Board, Transactions on Pattern Languages of Programs, 2007– Chair of the Steering OOPSLA Committee, October 2008–October 2011 Notable Experience School Visitor, Australian National University, December 2010 President, Hillside Group, February 2002–November 2006 Distinguished Engineer, IBM Research February 2007–April 2011 Distinguished Engineer, Sun Microsystems, November 1998–January 2007 Principal Investigator, Sun Microsystems Laboratories July 2004–September 2006 Chief Scientist, Laboratory for Self-Sustaining Systems, July 2000–July 2004 Consultant, Aspen Smallworks, Sun Microsystems, February 1997–November 1998 Distinguished Computer Scientist, ParcPlace-Digitalk, Inc, Dec. 1993–Oct. 1996 Vice President of Development, ParcPlace Systems, Inc, June 1994–August 1995 Lucid Fellow, Lucid Inc, October 1992–November 1993 Chairman of the Board, Lucid Inc, October 1992–December 1994 Chief Technical Officer, Lucid Inc, August 1984–November 1993 Richard P. Gabriel 1 Consulting Full Professor of Computer Science, Stanford University, April 1991–August 2001 Founding Joint Editor-in-Chief, “Lisp and Symbolic Computation: An International Journal,” October 1986–1992 President and Chief Technical Officer, Lucid Inc, August 1984–October 1987 Founder, Lucid, Inc, August 1984 Noteworthy Accomplishments Wrote and promulgated the so-called “Gabriel Benchmarks” for the performance measurement of a variety of Lisp and Lisp-like systems.
    [Show full text]
  • Rahul Sharma Address: 353 Serra Mall #420, Stanford University, Stanford, CA 94305 Phone: (650) 735-1823 Email: [email protected]
    Rahul Sharma Address: 353 Serra Mall #420, Stanford University, Stanford, CA 94305 Phone: (650) 735-1823 Email: [email protected] Research Interests Program Analysis, Compilers, and Machine Learning. Education 2010 - present Ph.D. Candidate, Computer Science, Stanford University, USA Advised by Prof. Alex Aiken 2006 - 2010 B.Tech. in Computer Science, Indian Institute of Technology (IIT Delhi), India Publications Conditionally Correct Superoptimization. Rahul Sharma, Eric Schkufza, Berkeley Churchill, and Alex Aiken. Proceedings of the International Conference on Object-Oriented Programming, Sys- tems, Languages, and Applications (OOPSLA), October 2015. Verification of Producer-Consumer Synchronization in GPU Programs. Rahul Sharma, Michael Bauer, and Alex Aiken. Proceedings of the Conference on Programming Language Design and Im- plementation (PLDI), June 2015. From Invariant Checking to Invariant Inference Using Randomized Search. Rahul Sharma, and Alex Aiken. Proceedings of the International Conference on Computer Aided Verification (CAV), July 2014. Stochastic Optimization of Floating Point Programs with Tunable Precision. Eric Schkufza, Rahul Sharma, and Alex Aiken. Proceedings of the Conference on Programming Language Design and Implementation (PLDI), June 2014. Bias-Variance Tradeoffs in Program Analysis. Rahul Sharma, Aditya Nori and Alex Aiken. Pro- ceedings of the Symposium on Principles of Programming Languages (POPL), January 2014. Data-Driven Equivalence Checking. Rahul Sharma, Eric Schkufza, Berkeley Churchill, and Alex Aiken. Proceedings of the International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 2013. Differential Assertion Checking. Shuvendu K. Lahiri, Kenneth L. McMillan, Rahul Sharma, and Chris Hawblitzel. In Proceedings of the Symposium on Foundations of Software Engineering (ESEC/FSE), August 2013. Termination Proofs from Tests.
    [Show full text]
  • Design Pattern Implementation in Java and Aspectj
    Design Pattern Implementation in Java and AspectJ Jan Hannemann Gregor Kiczales University of British Columbia University of British Columbia 201-2366 Main Mall 201-2366 Main Mall Vancouver B.C. V6T 1Z4 Vancouver B.C. V6T 1Z4 jan [at] cs.ubc.ca gregor [at] cs.ubc.ca ABSTRACT successor in the chain. The event handling mechanism crosscuts the Handlers. AspectJ implementations of the GoF design patterns show modularity improvements in 17 of 23 cases. These improvements When the GoF patterns were first identified, the sample are manifested in terms of better code locality, reusability, implementations were geared to the current state of the art in composability, and (un)pluggability. object-oriented languages. Other work [19, 22] has shown that implementation language affects pattern implementation, so it seems The degree of improvement in implementation modularity varies, natural to explore the effect of aspect-oriented programming with the greatest improvement coming when the pattern solution techniques [11] on the implementation of the GoF patterns. structure involves crosscutting of some form, including one object As an initial experiment we chose to develop and compare Java playing multiple roles, many objects playing one role, or an object [27] and AspectJ [25] implementations of the 23 GoF patterns. playing roles in multiple pattern instances. AspectJ is a seamless aspect-oriented extension to Java, which means that programming in AspectJ is effectively programming in Categories and Subject Descriptors Java plus aspects. D.2.11 [Software Engineering]: Software Architectures – By focusing on the GoF patterns, we are keeping the purpose, patterns, information hiding, and languages; D.3.3 intent, and applicability of 23 well-known patterns, and only allowing [Programming Languages]: Language Constructs and Features – the solution structure and solution implementation to change.
    [Show full text]
  • Curriculum Vitae
    Vita Benjamin G. Zorn June 2021 Partner Researcher Research in Software Engineering (RiSE) Group URL: http://aka.ms/zorn Microsoft Research, Redmond Lab Telephone: (425) 703-6290, Cell: on-request Microsoft Corporation Fax: (425) 936-7329 One Microsoft Way, Redmond WA 98052 Email: [email protected], [email protected] Research Interests Programming language design and implementation, program runtime systems and memory management, performance evaluation, compilers, error recovery, software fault tolerance, security, malware detection, software development, computer architecture Education • Ph.D. (Computer Science) December 1989, University of California, Berkeley. Thesis: Comparative Performance Evaluation of Garbage Collection Algorithms. Advisor: Paul N. Hilfinger. • M.S. (Computer Science) 1984, University of California, Berkeley. Master's Thesis: Experiences with Ada Code Generation. Advisor: Paul N. Hilfinger. • B.S. (Mathematics/Computer Science) summa cum laude 1982. Rensselaer Polytechnic Institute. Professional Experience • May 2019 – present. Partner Researcher, Research in Software Engineering (RiSE) group, Microsoft Research, Redmond Lab. • January 2012 – May 2019, Research Manager and Principal Researcher, Research in Software Engineering (RiSE) group, Microsoft Research, Redmond. I co-managed the Research in Software Engineering (RiSE) group, a group of almost 30 researchers and developers working on programming languages and software engineering research. • January 2006 – 2012, Principal Researcher, Microsoft Research, Redmond. • August 1998 – January 2006, Senior Researcher, Microsoft Research. • June 1999 – present, Adjoint Associate Professor, University of Colorado at Boulder. • August 1996 – Junes 1999, Associate Professor, University of Colorado at Boulder. • January 1990 – July 1996, Assistant Professor, University of Colorado at Boulder. • May 1983 – December 1989, Research Assistant, University of California at Berkeley. • December 1985 – December 1989, Course Instructor, Franz Incorporated.
    [Show full text]
  • Ball-Larus Path Profiling Across Multiple Loop Iterations
    Ball-Larus Path Profiling Across Multiple Loop Iterations Daniele Cono D’Elia Camil Demetrescu Dept. of Computer, Control and Management Dept. of Computer, Control and Management Engineering Engineering Sapienza University of Rome Sapienza University of Rome tifac r t * A Comple t * te [email protected] [email protected] * n * A te is W E s A e n C l l L o D C S o * * c P u e m s E u O e e n v R t e o O d t a y * s E a * l u d a e t Abstract General Terms Algorithms, Measurement, Performance. Identifying the hottest paths in the control flow graph of Keywords Profiling, dynamic program analysis, instru- a routine can direct optimizations to portions of the code mentation. where most resources are consumed. This powerful method- ology, called path profiling, was introduced by Ball and Larus in the mid 90’s [4] and has received considerable at- 1. Introduction tention in the last 15 years for its practical relevance. A Path profiling is a powerful methodology for identifying per- shortcoming of the Ball-Larus technique was the inability formance bottlenecks in a program. The approach consists to profile cyclic paths, making it difficult to mine execu- of associating performance metrics, usually frequency coun- tion patterns that span multiple loop iterations. Previous re- ters, to paths in the control flow graph. Identifying hot paths sults, based on rather complex algorithms, have attempted can direct optimizations to portions of the code that could to circumvent this limitation at the price of significant per- yield significant speedups.
    [Show full text]
  • Finding Code That Explodes Under Symbolic Evaluation
    Finding Code That Explodes under Symbolic Evaluation JAMES BORNHOLT, University of Washington, USA EMINA TORLAK, University of Washington, USA Solver-aided tools rely on symbolic evaluation to reduce programming tasks, such as verification and synthesis, to satisfiability queries. Many reusable symbolic evaluation engines are now available as part of solver-aided languages and frameworks, which have made it possible for a broad population of programmers to create and apply solver-aided tools to new domains. But to achieve results for real-world problems, programmers still need to write code that makes effective use of the underlying engine, and understand where their codeneeds careful design to elicit the best performance. This task is made difficult by the all-paths execution model of symbolic evaluators, which defies both human intuition and standard profiling techniques. This paper presents symbolic profiling, a new approach to identifying and diagnosing performance bot- tlenecks in programs under symbolic evaluation. To help with diagnosis, we develop a catalog of common performance anti-patterns in solver-aided code. To locate these bottlenecks, we develop SymPro, a new profil- ing technique for symbolic evaluation. SymPro identifies bottlenecks by analyzing two implicit resources atthe core of every symbolic evaluation engine: the symbolic heap and symbolic evaluation graph. These resources form a novel performance model of symbolic evaluation that is general (encompassing all forms of symbolic evaluation), explainable (providing programmers with a conceptual framework for understanding symbolic evaluation), and actionable (enabling precise localization of bottlenecks). Performant solver-aided code care- fully manages the shape of these implicit structures; SymPro makes their evolution explicit to the programmer.
    [Show full text]
  • Aroma: Code Recommendation Via Structural Code Search
    Aroma: Code Recommendation via Structural Code Search SIFEI LUAN, Facebook, USA DI YANG∗, University of California, Irvine, USA CELESTE BARNABY, Facebook, USA KOUSHIK SEN2, University of California, Berkeley, USA SATISH CHANDRA, Facebook, USA Programmers often write code that has similarity to existing code written somewhere. A tool that could help programmers to search such similar code would be immensely useful. Such a tool could help programmers to extend partially written code snippets to completely implement necessary functionality, help to discover extensions to the partial code which are commonly included by other programmers, help to cross-check against similar code written by other programmers, or help to add extra code which would fix common mistakes and errors. We propose Aroma, a tool and technique for code recommendation via structural code search. Aroma indexes a huge code corpus including thousands of open-source projects, takes a partial code snippet as input, searches the corpus for method bodies containing the partial code snippet, and clusters and intersects the results of the search to recommend a small set of succinct code snippets which both contain the query snippet and appear as part of several methods in the corpus. We evaluated Aroma on 2000 randomly selected queries created from the corpus, as well as 64 queries derived from code snippets obtained from Stack Overflow, a popular website for discussing code. We implemented Aroma for 4 different languages, and developed an IDE plugin for Aroma. Furthermore, we conducted a study where we asked 12 programmers to complete programming tasks using Aroma, and collected their feedback. Our results indicate that Aroma is capable of retrieving and recommending relevant code snippets efficiently.
    [Show full text]
  • A Tree Clock Data Structure for Causal Orderings in Concurrent Executions
    A Tree Clock Data Structure for Causal Orderings in Concurrent Executions Umang Mathur Andreas Pavlogiannis Mahesh Viswanathan University of Illinois, Urbana Aarhus University University of Illinois, Urbana Champaign Champaign Denmark USA USA [email protected] [email protected] [email protected] Abstract patterns also makes verification a demanding task, as ex- posing a bug requires searching an exponentially large Dynamic techniques are a scalable and effective way to ana- space [29]. Consequently, significant efforts are made to- lyze concurrent programs. Instead of analyzing all behaviors wards understanding and detecting concurrency bugs effi- of a program, these techniques detect errors by focusing on ciently [4, 12, 24, 45, 50, 54]. a single program execution. Often a crucial step in these techniques is to define a causal ordering between events in Dynamic analyses and partial orders. One popular approach the execution, which is then computed using vector clocks, to the scalability problem of concurrent program verification a simple data structure that stores logical times of threads. is dynamic analysis [16, 28, 32, 42]. Such techniques have The two basic operations of vector clocks, namely join and the more modest goal of discovering faults by analyzing copy, require Θ(k) time, where k is the number of threads. program executions instead of whole programs. Although Thus they are a computational bottleneck when k is large. this approach cannot prove the absence of bugs, it is far In this work, we introduce tree clocks, a new data structure more scalable than static analysis and typically makes sounds that replaces vector clocks for computing causal orderings in reports of errors.
    [Show full text]